Home / ubuntu / Questions / 1162028
Accepted
kos
Asked: 2019-07-30 18:34:14 +0800 CST

How to update binutils to pick up security patches on Ubuntu Xenial

  • 772

I have several servers running with Xenial (16.04 LTS). I ran a security scanning tool (AWS Inspector) that shows a list of unpatched CVE vulnerabilities on the server. A lot of them relate to binutils, for example https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-6323.html

I can see that on that Canonical link above the package update is marked as needed, however I do:

sudo apt-get update
sudo apt-get upgrade --dry-run

I see no patches. I have recently run an upgrade successfully, so nothing new to pick up. But binutils is still triggering the alert and is at version 2.26.1-1ubuntu1~16.04.8.

Is there a way to upgrade binutils to patch these vulnerabilities on Xenial? Or is this a false alarm?

security updates upgrade apt aws

1 Answers

  1. Best Answer

    In this case, "needed" does NOT mean "We have uploaded a patched package and you need to upgrade now".

    Instead, it means "This patch has yet to be applied by the Ubuntu Security Team, but it's on our to-do list."

    You can double-check that using the plain old apt-cache madison <packagename> command. Madison will return the current package available from your release's Ubuntu repositories.

    For example, here's what is available at the moment I wrote this in Xenial (16.04):

    binutils | 2.26-8ubuntu2             | xenial
binutils | 2.26.1-1ubuntu1~16.04.8   | xenial-security
binutils | 2.26.1-1ubuntu1~16.04.8   | xenial-updates

    You can see that your version 2.26.1-1ubuntu1~16.04.8 is the newest available.

    Most folks don't need to install security upgrades by checking apt-cache and running apt commands. You certainly can if you wish, it's supported. But most folks in general usage should be using the Unattended Upgrades application that is part of the default install of all Ubuntu Desktop flavors and Ubuntu Server. It will check for new upgrades in the -security pocket daily, and install them without any fuss in the background.

    If you need to know when a particular package was last upgraded, both apt and Unattended Upgrades log all activity in /var/log in an easy-to-grep format.

    One note about this particular CVE - you will note that the Ubuntu Security Team has marked the priority 'low.' If your audits keep throwing that red flag, make sure your audit reviewer knows that you are tracking it, but it's a low priority. If you know something about this particular vuln that the Ubuntu Security Team has missed, and feel that it deserves a higher priority, then contact the Security Team and discuss the issue.

    The Security Team welcomes volunteer testing and assistance. If volunteering to help package and test a low-priority fix happens to also clean up your audits, all the better. If you are curious about how the Security Team works, what it does, and how it prioritizes work, you might find their podcast illuminating.

    • 2